Principles of Management

Ian Graham's Blog on Operations & Innovation.

Heartbleed

The OpenSSL project describes itself as “a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library.” The softare developed by OpenSSL can be freely adopted by server users and operating system developers to implement SSL without having to pay royalties to commercial firms.

In early April security specialists at Google and Codenomicon, a Finnish computer security firm, independently identified a vulnerability in the OpenSSL Heartbeat software that could allow accessing of cryptography keys, compromising the security of websites using the software. The flaw was significant because it had existed for two years and did not leave a trace if it was exploited. The last two weeks has seen hurried upgrading of systems to close the vulnerability and widespread requirements for users to recreate passwords. Codemicon gave the the catchy name Heartbleed, set up its website and gave it a logo; by now it probably has its own Twitter and Facebook pages so that you can “follow” or “like” it.

The number of websites affected is a graphic illustration of the success of open-source software; but the bug also demonstrates the potential operational risks for users of depending upon software developed in non-commercial communities. The coding error was introduced into the coding by Dr Robin Seggelmann and was only checked by one person, who missed spotting it, before it was circulated to the world. The code with the vulnerability was freely available, so it shows the confidence, or appetite for risk, of commercial users of the software that no-one spotted the bug in two years. Of course no-one can be sure that the vulnerability was not spotted by people who quietly exploited it, whether criminals or security agencies

Your email address will not be published. Required fields are marked *

Name *

Email *

Website

Comment

Dr Ian Graham

Senior Lecturer in Operations Management at the University of Edinburgh Business School, Edinburgh, Scotland. This blog supports his teaching in operations management, innovation and quality management and provides background on his research in the sociology of standards and the management of operational risk.